2H 2015 Quick Links, Part 3 (Trespass To Chattels, Privacy/Security)

* Crapps v. State, 2015 WL 8114247 (Fla. Dist. Ct. App. Dec. 8, 2015). This is a revenge porn case, and the defendant was convicted of violating an anti-stalking protection order. However, in this ruling, the court overturns his conviction for Florida’s archaic computer trespass crime, enacted in 1978. The court explains:

the charge against Appellant was based only on the unauthorized access of his ex-girlfriend’s Instagram account, not the computer server on which the account is presumably located. We say “presumably” because the only evidence in the record explaining what Instagram is was the ex-girlfriend’s testimony that it is a form of social media and “a place where you post pictures [and] your friends get to see it.” Nothing in the record establishes or explains how accessing an Instagram account works from a technological perspective, leaving unanswered whether or how Appellant’s actions amounted to accessing a specific computer, computer system, or computer network.

The court concludes by pointing out that Florida has a revenge porn crime that seems more apropos.

* Techdirt: 3taps settled its craigslist lawsuit by paying $1M to Craigslist, which was required to donate it to EFF (which filed briefs in favor of 3taps in the lawsuit). EFF post. Prior blog post.

The Computer Fraud and Abuse Act prohibits unauthorized use of computer systems. One proposed method of defining unauthorized use is to use the norms of actual computer users, restricting punishment to that which many or all agree to be unauthorized. This study measures lay authorization beliefs and punishment preferences for a variety of computer misuse activities. Though perceived authorization is strongly predictive of punishment attitudes, results show that many people view common misuse activities as unauthorized but not deserving of any meaningful punishment. Respondents also viewed as unauthorized many activities – such as ignoring a website’s terms of service, surfing the news while at work, or connecting to a neighbor’s unsecured wireless network – that scholars have argued are implicitly licensed. This divergence between perceived authorization and desired punishment presents a challenge for the CFAA framework. To avoid results that would strike both the lay public and field experts as overcriminalization, “unauthorized use” must therefore be interpreted far more narrowly than common usage would suggest.

the absence of any evidence that any consumer has suffered harm as a result of Respondent’s alleged unreasonable data security, even after the passage of many years, undermines the persuasiveness of Complaint Counsel’s claim that such harm is nevertheless “likely” to occur. This is particularly true here, where the claim is predicated on expert opinion that essentially only theorizes how consumer harm could occur. Given that the government has the burden of persuasion, the reason for the government’s failure to support its claim of likely consumer harm with any evidence of actual consumer harm is unclear….If it were true that 30% of the consumers affected by the 1718 File exposure are likely to suffer identity theft harm, logically, it would be expected that the government, in the many years of investigation and litigation of this matter, would have discovered and identified at least one such consumer who has experienced identity theft harm….Complaint Counsel’s assertion, based on expert opinion, that it may take “months or years” for a consumer to discover they have been victimized by identity theft, does not explain why the government, over the past seven years, in the course of investigating and litigating this case, would not have located and identified any such victims.

and

Complaint Counsel’s theory that harm is likely for all consumers whose Personal Information is maintained on LabMD’s computer network, based on a “risk” of a future data breach and resulting identity theft injury, is without merit. First, the expert opinions upon which Complaint Counsel relies do not specify the degree of risk posed by Respondent’s alleged unreasonable data security, or otherwise assess the probability that harm will result. To find “likely” injury on the basis of theoretical, unspecified “risk” that a data breach will occur in the future, with resulting identity theft harm, would require reliance upon a series of unsupported assumptions and conjecture. Second, a “risk” of harm is inherent in the notion of “unreasonable” conduct. To allow unfair conduct liability to be based on a mere “risk” of harm alone, without regard to the probability that such harm will occur, would effectively allow unfair conduct liability to be imposed upon proof of unreasonable data security alone. Such a holding would render the requirement of “likely” harm in Section 5(n) superfluous, and would contravene the clear intent of Section 5(n) to limit unfair conduct liability to cases of actual, or “likely,” consumer harm.

* NY Times: “Enormous numbers like these can make it feel as if we’re living through an epidemic of data breaches, in which no one’s bank account or credit card is safe. But the actual effect on consumers is quite different from what the headlines suggest. Only a tiny number of people exposed by leaks end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily.”

* NY Times: Hipaa’s Use as Code of Silence Often Misinterprets the Law. It’s not just healthcare providers. When I call a bank regarding my mom’s accounts and I admit I’m not my mom, they immediately try to hang up on me.

* Ars Technica: How Soviets used IBM Selectric keyloggers to spy on US diplomats

* Farhad Manjoo: Hacking Victims Deserve Empathy, Not Ridicule. The Ashley Madison “breach stands as a monument to the blind trust many of us have placed in our computers — and how powerless we all are to evade the disasters that may befall us when the trust turns out to be misplaced.”